This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Should applications be running on Dom0

To: "Joseph M. Deming" <joseph.deming@xxxxxxxxxxxxxx>, Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Should applications be running on Dom0
From: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Date: Tue, 17 Aug 2010 22:05:49 +0100
Delivery-date: Tue, 17 Aug 2010 14:07:34 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1282076412.2362.134.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <AANLkTik_z=795d6SMJMLvvEwO-xcBXZoFCVdXr9bo1hy@xxxxxxxxxxxxxx> <46C13AA90DB8844DAB79680243857F0F0AFE3E@xxxxxxxxxxxxxxxxxxx> <8C26A4FDAE599041A13EB499117D3C28164832D6@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1282076412.2362.134.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100713 Thunderbird/3.0.6
Much more simple: Dom0 has access to all disks of all DomUs - no exploits required :)

On 17/08/10 21:20, Joseph M. Deming wrote:
 From a casual xen user's point of view (ie i'm not a certified
professional or dev).

Xen dom0 (using my setup in debian as an example) is really just another
domU loaded under the Xen hypervisor itself.  It is 'privileged' in a
sense of controlling the other DomU's and the hardware/virtual device
connections between them, but it is also really just another running
kernel/installation of a Debian OS in my case.

So... apt-get installing packages, running services, etc, etc is really
independent of the responsibilities of the Xen virtualization.  So,
there should be no reason other apps can't run alongside the Xen
application in the Dom0.

However, I assume the general recommendation that apps should NOT be run
alongside Xen in the main Dom0 (especially in production environment)
would stem from two primary thought-processes (maybe more, but these are
the 2 I think about).

1)  Applications running on DomO could, theoretically, compromise
security between the Dom0 boxes and the DomU's by providing further
handles that could be leveraged if a security loophole is exploited in
Xen.  In other words, by keeping the DomO as a nice clean, minimal
install you minimize the vector of attacks possible that would be
possible by gaining access to the Dom0 kernel or communication between
Dom0's and DomU devices.

2)  Applications running on Dom0, I assume, bypass some of the resource
management that comes on the DomU virtual (and even passthrough)
devices.  Meaning, if you install an application on Dom0 that is
io-intensive on any bus (disk, network, memory, CPU) you can drag the
performance of possibly all your DomU's because the DomO is somewhat in
control and dominating disk read/write for example.

I am writing this with a lack of fundamental understanding of the exact
technical design of the Xen system, but I think that the 2 concepts
listed here apply in a general sense even if my wording or technical
terms are somewhat incorrect.  Hope maybe this helps shed a little

- jmd

On Tue, 2010-08-17 at 19:47 +0000, Nathan Eisenberg wrote:
I hear this often, but I have yet to hear a satisfactory and technical
explanation as to why.  I’m not sure I agree that it is true.

Why is this the case?


From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jonathan
Sent: Tuesday, August 17, 2010 12:35 PM
To: Brent Bolin; Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Should applications be running on Dom0

Depends on what your Xen setup is being used for.

If it's strictly lab/testing/internal things, then it really doesn't

If you're hosting stuff to the outside world, then the only thing that
should be running on the Dom0 (apart from the Xen Guests), is iptables
to firewall the guests.

From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Brent Bolin
Sent: Tue 17/08/2010 20:27
To: Xen-users
Subject: [Xen-users] Should applications be running on Dom0

Or should Dom0 be lightweight with guest o/s's be doing that?

Xen-users mailing list

Xen-users mailing list

Xen-users mailing list